Passing a freed 'pages' to free_xenballooned_pages will end badly
on kernels with slub debug enabled.
This looks out of place between the rc assign and the check, and
was likely a cut-and-paste error.
Signed-off-by: Dave Jones <[email protected]>
diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
index 103c93f874b2..28990cc97304 100644
--- a/arch/x86/xen/grant-table.c
+++ b/arch/x86/xen/grant-table.c
@@ -161,12 +161,11 @@ static int __init xlated_setup_gnttab_pages(void)
rc = arch_gnttab_map_shared(pfns, nr_grant_frames, nr_grant_frames,
&xen_auto_xlat_grant_frames.vaddr);
-
- kfree(pages);
if (rc) {
pr_warn("%s Couldn't map %ld pfns rc:%d\n", __func__,
nr_grant_frames, rc);
free_xenballooned_pages(nr_grant_frames, pages);
+ kfree(pages);
kfree(pfns);
return rc;
}
On Fri, Jan 24, 2014 at 01:31:14PM -0500, Dave Jones wrote:
> Passing a freed 'pages' to free_xenballooned_pages will end badly
> on kernels with slub debug enabled.
Ouch.
>
> This looks out of place between the rc assign and the check, and
> was likely a cut-and-paste error.
>
> Signed-off-by: Dave Jones <[email protected]>
>
> diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
> index 103c93f874b2..28990cc97304 100644
> --- a/arch/x86/xen/grant-table.c
> +++ b/arch/x86/xen/grant-table.c
> @@ -161,12 +161,11 @@ static int __init xlated_setup_gnttab_pages(void)
>
> rc = arch_gnttab_map_shared(pfns, nr_grant_frames, nr_grant_frames,
> &xen_auto_xlat_grant_frames.vaddr);
> -
> - kfree(pages);
> if (rc) {
> pr_warn("%s Couldn't map %ld pfns rc:%d\n", __func__,
> nr_grant_frames, rc);
> free_xenballooned_pages(nr_grant_frames, pages);
> + kfree(pages);
> kfree(pfns);
> return rc;
> }
Actually it should also be freed on the success path, as so:
I can squash it in, if you are OK with that?
diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
index 103c93f..c985835 100644
--- a/arch/x86/xen/grant-table.c
+++ b/arch/x86/xen/grant-table.c
@@ -162,14 +162,15 @@ static int __init xlated_setup_gnttab_pages(void)
rc = arch_gnttab_map_shared(pfns, nr_grant_frames, nr_grant_frames,
&xen_auto_xlat_grant_frames.vaddr);
- kfree(pages);
if (rc) {
pr_warn("%s Couldn't map %ld pfns rc:%d\n", __func__,
nr_grant_frames, rc);
free_xenballooned_pages(nr_grant_frames, pages);
+ kfree(pages);
kfree(pfns);
return rc;
}
+ kfree(pages);
xen_auto_xlat_grant_frames.pfn = pfns;
xen_auto_xlat_grant_frames.count = nr_grant_frames;
On Fri, Jan 24, 2014 at 01:46:55PM -0500, Konrad Rzeszutek Wilk wrote:
> Actually it should also be freed on the success path, as so:
>
> I can squash it in, if you are OK with that?
Looks good to me.
thanks,
Dave
> diff --git a/arch/x86/xen/grant-table.c b/arch/x86/xen/grant-table.c
> index 103c93f..c985835 100644
> --- a/arch/x86/xen/grant-table.c
> +++ b/arch/x86/xen/grant-table.c
> @@ -162,14 +162,15 @@ static int __init xlated_setup_gnttab_pages(void)
> rc = arch_gnttab_map_shared(pfns, nr_grant_frames, nr_grant_frames,
> &xen_auto_xlat_grant_frames.vaddr);
>
> - kfree(pages);
> if (rc) {
> pr_warn("%s Couldn't map %ld pfns rc:%d\n", __func__,
> nr_grant_frames, rc);
> free_xenballooned_pages(nr_grant_frames, pages);
> + kfree(pages);
> kfree(pfns);
> return rc;
> }
> + kfree(pages);
>
> xen_auto_xlat_grant_frames.pfn = pfns;
> xen_auto_xlat_grant_frames.count = nr_grant_frames;